Join Log in
Score:1
avatar Server

Windows certificate import not accepting private key password

kz flag
pbuchheit

I'm trying to follow the instructions provided here: https://codekabinett.com/rdumps.php?Lang=2&targetDoc=create-install-ssl-tls-certificate-sql-server for setting up a self-signed certificate for use in testing. I was able to successfully create the certificate and key and convert them into a .pfx file. Now I'm trying to actually import that pfx to the local machine using the certificate import wizard. After selecting the file, it asks for the password for the private key. I assume that this is either the password chosen when creating the cert or when converting to pfx. Either way, it will not accept the password. I double checked to make sure I wasn't typing it wrong. I deleted all the files and recreated them using the same password for both. Still rejected. At this point I'm not sure what else to try. What am I missing here?

FYI, here are the commands I used to generate the files:

openssl req -x509 -newkey rsa:4096 -keyout C:\Users\pbuchheit\sqlkey.pem -out c:\Users\pbuchheit\sqlcert.pem -days 3650 -extensions server_ssl

openssl pkcs12 -export -out C:\Users\pbuchheit\sqlcert.pfx -inkey C:\Users\pbuchheit\sqlkey.pem -in C:\Users\pbuchheit\sqlcert.pem

Update:

The problem seems to have something to do with the pfx file. If I try no install a normal certificate (.crt) file it works fine. Could the password be getting deleted or changed when converting the crt and key into a pfx?

241
0 + 0
ssl
dave_thompson_085 avatar
jp flag
dave_thompson_085
It should be the 'Export' password given to `openssl pkcs12 -export`; if the password for the PEM file was different that has no effect on the pkcs12. Does it contain any non-ASCII character(s)? If so openssl uses 'console' I/O with old-style codepage, while the wizard is a GUI with native Unicode, which likely produces different bytes for the same keystrokes and thus doesn't work; try commandline `certutil` or powershell `import-pfxcertificate` (with `convertto-securestring`)
1
Reply
kz flag
pbuchheit
@ dave_thompson_085 The password is letters only. I just went through the process again and tried using 'password' as the export password. It still rejects it when I try to do the import.
0
Reply
Score:2
avatar Server
kz flag
pbuchheit

I finally found the answer here: https://stackoverflow.com/a/70369871/1860222. Apparently, the import wizard was giving garbage feedback and the problem had nothing to do with the password. As it turns out, openssl defaults to an encryption that is not compatible with Windows 10. Once I explicitly set the encryption for the pfx to something windows could handle, the import worked fine.

The final command ended up looking like this:

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -out C:\Users\pbuchheit\turadev.pfx -inkey C:\Users\pbuchheit\turadev.key -in C:\Users\pbuchheit\turadev.crt
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.